Authorization Naming and Delegation

An RBAC authorization is a discrete right that can be granted to
a role or a user. Authorizations are checked by RBAC-compliant applications before
a user gets access to the application or specific operations within the
application. This check replaces the tests in conventional UNIX applications for UID=0.

Authorization Naming Conventions

An authorization has a name that is used internally and in files.
For example, solaris.print.admin is the name of an authorization. An authorization
has a short description, which appears in the graphical user interfaces (GUIs).
For example, Administer Printer is the description of the solaris.print.admin authorization.

By convention, authorization names consist of the reverse order of the Internet
name of the supplier, the subject area, any subareas, and the function.
The parts of the authorization name are separated by dots. An example would
be com.xyzcorp.device.access. Exceptions to this convention are the authorizations from Sun Microsystems,
Inc., which use the prefix solaris instead of an Internet name. The
naming convention enables administrators to apply authorizations in a hierarchical fashion. A wildcard
(*) can represent any strings to the right of a dot.

Example of Authorization Granularity

As an example of how authorizations are used, consider the following: A
user in the Network Link Security role would be limited to the solaris.network.link.security
authorization, while the Network Security role has the Network Link Security rights
profile as a supplementary profile, plus the solaris.network.* and solaris.smf.manage.ssh authorizations.

Delegation Authority in Authorizations

An authorization that ends with the suffix grant enables a user
or a role to delegate to other users any assigned authorizations that
begin with the same prefix.

For example, a role with the authorizations solaris.admin.usermgr.grant and solaris.admin.usermgr.read can delegate
the solaris.admin.usermgr.read authorization to another user. A role with the solaris.admin.usermgr.grant and solaris.admin.usermgr.*
authorizations can delegate any of the authorizations with the solaris.admin.usermgr prefix to
other users.

The solaris auth.delegate authorization enables a user or a role to delegate to
other users any authorizations that these users or roles are assigned.

For example, a role with the solaris auth.delegate and solaris.network.wifi.wep authorizations can delegate
the solaris.network.wifi.wep authorization to another user or role. Similarly, a role with the
solaris auth.delegate and solaris.network.wifi.wep authorizations can delegate the solaris.network.wifi.wep authorization to another user
or role.